[CLSA-2026:1781274930] Fix CVE(s): CVE-2025-27219, CVE-2025-27220, CVE-2025-61594
Type:
security
Severity:
Important
Release date:
2026-06-12 14:35:58 UTC
Description:
* SECURITY UPDATE: cgi and uri vulnerabilities in the bundled gems - debian/patches/CVE-2025-27219.patch: CGI::Cookie.parse merged repeated cookie names with an allocating array `+`, giving O(n^2) work and a DoS on crafted Cookie headers; merge in place with concat instead. - debian/patches/CVE-2025-27220.patch: CGI::Util#escapeElement and #unescapeElement used a lazy-backtracking regex vulnerable to ReDoS; replace with possessive/atomic forms that also handle unclosed tags. - debian/patches/CVE-2025-61594.patch: URI::Generic#merge / + leaked the base URI's password when only the host changed (bypass of CVE-2025-27221); clear userinfo atomically via authority accessors. - CVE-2025-27219 - CVE-2025-27220 - CVE-2025-61594
CVEs fixed:
Updated packages:
  • alt-ruby30_3.0.7-174_amd64.deb
    sha:ea63390d4872b6547f720f376678f1cc133bd67b
  • alt-ruby30-default-gems_3.0.7-174_amd64.deb
    sha:9d9a9359ff69e712e3674ccdb5f4cc9e6a111e09
  • alt-ruby30-devel_3.0.7-174_amd64.deb
    sha:2634eac5d7714aef928a92d63e9ce3d127bcec2a
  • alt-ruby30-doc_3.0.7-174_amd64.deb
    sha:9373d37b11b94ccadedc3ced9833d73d55b05f66
  • alt-ruby30-libs_3.0.7-174_amd64.deb
    sha:e2065e3146f46154ccf9f10039ecf1c2dbdb152a
  • alt-ruby30-rubygem-bigdecimal_3.0.0-174_amd64.deb
    sha:7b8f6833cf42f8a0c9a105ea130b9994318acee4
  • alt-ruby30-rubygem-bundler_2.2.33-174_amd64.deb
    sha:ce8c7511591ae0f3c9b3d7f9ef1e77a9d7c3fcd1
  • alt-ruby30-rubygem-io-console_0.5.7-174_amd64.deb
    sha:1ada43de13de9282c3f8f17a0cce5b0270b70b53
  • alt-ruby30-rubygem-irb_1.3.5-174_amd64.deb
    sha:e2facc83ff703bdd347f4fad8e6da8a6f5cb8bf4
  • alt-ruby30-rubygem-json_2.5.1-174_amd64.deb
    sha:d8fe9f52858b4698e73942d07ea3c37c0b28ea18
  • alt-ruby30-rubygem-minitest_5.14.2-174_amd64.deb
    sha:1d1e8e1d4db7429c849f34c6972b8a133e2d6aff
  • alt-ruby30-rubygem-power-assert_1.2.1-174_amd64.deb
    sha:88e7d8d7e3dfcea3b6c16397409df9aa9ad9e2de
  • alt-ruby30-rubygem-psych_3.3.2-174_amd64.deb
    sha:9e48c981150b9ee1f67d73027b94a4862517c4dc
  • alt-ruby30-rubygem-rake_13.0.3-174_amd64.deb
    sha:2275d34be97a447aedc2bef42fb0e1b472b547e2
  • alt-ruby30-rubygem-rbs_1.4.0-174_amd64.deb
    sha:1b73eb19ccbd69cb1e73f40ef7f1096090c9a184
  • alt-ruby30-rubygem-rdoc_6.3.4.1-174_amd64.deb
    sha:ec6126c5312dbeee54116a3aecef4955589d1d6f
  • alt-ruby30-rubygem-rexml_3.2.5-174_amd64.deb
    sha:e7f7063a80537a8f0e2ff511fac03dc5d14ec66a
  • alt-ruby30-rubygem-rss_0.2.9-174_amd64.deb
    sha:0c042be050962c060c7ad9abe97d0b5d965c4f70
  • alt-ruby30-rubygem-test-unit_3.3.7-174_amd64.deb
    sha:6d5725af47b815ff7936c676e48f534d69803f41
  • alt-ruby30-rubygem-typeprof_0.15.2-174_amd64.deb
    sha:25b462a4e93005002d053604c239bca37b6600f5
  • alt-ruby30-rubygems_3.2.33-174_amd64.deb
    sha:ed45e9278edce9b5e34410681bd98e798b1189c4
  • alt-ruby30-rubygems-devel_3.2.33-174_amd64.deb
    sha:4fe1f4f106a0b2d67908d5f9ca3c2e1fcccb1331
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.